From: Stephen Smalley <stephen.smalley@gmail.com>
To: selinux <selinux@tycho.nsa.gov>
Subject: [RFC][PATCH] selinux-testsuite: Add test for execstack on thread stack
Date: Wed, 06 Apr 2016 13:01:50 -0700 [thread overview]
Message-ID: <1459972910.5403.5.camel@gmail.com> (raw)
In-Reply-To: <1459972627.5403.2.camel@gmail.com>
Test execstack permission checking for thread stacks.
This depends on the corresponding kernel patch to apply
the check for thread stacks in addition to the main process
stack.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
tests/mmap/Makefile | 2 ++
tests/mmap/mprotect_stack_thread.c | 33 +++++++++++++++++++++++++++++++++
tests/mmap/test | 8 +++++++-
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 tests/mmap/mprotect_stack_thread.c
diff --git a/tests/mmap/Makefile b/tests/mmap/Makefile
index f2f486c..e330f3e 100644
--- a/tests/mmap/Makefile
+++ b/tests/mmap/Makefile
@@ -1,5 +1,7 @@
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+LDLIBS += -lpthread
+
all: $(TARGETS)
clean:
diff --git a/tests/mmap/mprotect_stack_thread.c b/tests/mmap/mprotect_stack_thread.c
new file mode 100644
index 0000000..457b294
--- /dev/null
+++ b/tests/mmap/mprotect_stack_thread.c
@@ -0,0 +1,33 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <pthread.h>
+
+static void *test_thread(void *p)
+{
+ char buf[4096];
+ int rc;
+ void *ptr;
+ long pagesize = sysconf(_SC_PAGESIZE);
+
+ ptr = (void *) (((unsigned long) buf) & ~(pagesize - 1));
+
+ rc = mprotect(ptr, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC);
+ if (rc < 0) {
+ perror("mprotect");
+ exit(1);
+ }
+ return NULL;
+}
+
+int main(void)
+{
+ pthread_t thread;
+
+ pthread_create(&thread, NULL, test_thread, NULL);
+ pthread_join(thread, NULL);
+ exit(0);
+}
+
diff --git a/tests/mmap/test b/tests/mmap/test
index 6b1de55..89badda 100755
--- a/tests/mmap/test
+++ b/tests/mmap/test
@@ -1,7 +1,7 @@
#!/usr/bin/perl
use Test;
-BEGIN { plan tests => 30}
+BEGIN { plan tests => 32}
$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|;
@@ -68,6 +68,12 @@ ok($result, 0);
$result = system "runcon -t test_execmem_t $basedir/mprotect_stack 2>&1";
ok($result);
+# Test success and failure for thread execstack, independent of execmem.
+$result = system "runcon -t test_execstack_t $basedir/mprotect_stack_thread";
+ok($result, 0);
+$result = system "runcon -t test_execmem_t $basedir/mprotect_stack_thread 2>&1";
+ok($result);
+
# Test success and failure for file execute on mmap w/ file shared mapping.
$result = system "runcon -t test_file_rwx_t $basedir/mmap_file_shared $basedir/temp_file";
ok($result, 0);
--
2.8.0
next prev parent reply other threads:[~2016-04-06 20:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-06 19:57 [RFC][PATCH] selinux: apply execstack check on thread stacks Stephen Smalley
2016-04-06 20:01 ` Stephen Smalley [this message]
2016-04-06 23:04 ` Nick Kralevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459972910.5403.5.camel@gmail.com \
--to=stephen.smalley@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.